Jekyll2023-12-30T00:33:46+00:00https://blog.ctyi.me/feed.xml上善若水–Tianyi Cui一个程序猿+工科男的闲言碎语Seamless Linux disk encryption with systemd-measure2023-12-29T00:00:00+00:002023-12-29T00:00:00+00:00https://blog.ctyi.me/tech/2023/12/29/systemd-measure<p>I’ve been using Archlinux for a while. One painpoint for me is that there is no push-button end-to-end data protection solution like <a href="https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/">Bitlocker</a> on Windows or <a href="https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac">FileVault</a> on MAC. I’ve used solutions like <a href="https://wiki.archlinux.org/title/dm-crypt/System_configuration">LUKS2</a> with <a href="https://wiki.archlinux.org/title/Systemd-cryptenroll">TPM2</a>, but they are not as seamless as Bitlocker. I have to enter the password every time the kernel is updated since the TPM measurement updated.</p>
<p>Recently, I learned that <code class="language-plaintext highlighter-rouge">systemd-measure</code> is <a href="https://lwn.net/Articles/913287/">introduced</a> in systemd from version 252. In short, it provides the ability to measure the PCR of a unified kernel image (UKI) before they are actually booted. I played around with it, and below is my config. Hopefully it works for you if you are using Archlinux.</p>
<h2 id="environment-before-the-setup">Environment before the setup</h2>
<ul>
<li>An LUKS2 encrypted root partition with <code class="language-plaintext highlighter-rouge">sd-encrpyt</code> hook, see <a href="https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system">here</a></li>
<li>A properly configured secureboot PKI system. I personally use <a href="https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Assisted_process_with_sbctl">sbctl</a></li>
</ul>
<h2 id="how-it-works">How it works</h2>
<p>The <code class="language-plaintext highlighter-rouge">systemd-cryptenroll</code> allows to config a keyslot, which, <strong>ANY</strong> PCR values signed by a specific pubkey can unlock the volume. The <code class="language-plaintext highlighter-rouge">systemd-measure</code> can measure the PCR values of a UKI, and the measurement is signed by the keypair and inserted into the UKI. Thus, the initrd can unlock the volume since a signature of the current PCR measurements is provided to the TPM to release the master key to the volume.</p>
<h2 id="steps">Steps</h2>
<ol>
<li>Generate a keypair to sign the PCR measurement.
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>openssl genpkey <span class="nt">-algorithm</span> RSA <span class="nt">-pkeyopt</span> rsa_keygen_bits:2048 <span class="nt">-out</span> /etc/systemd/tpm2-pcr-private-key.pem
openssl rsa <span class="nt">-pubout</span> <span class="nt">-in</span> /etc/systemd/tpm2-pcr-private-key.pem <span class="nt">-out</span> /etc/systemd/tpm2-pcr-public-key.pem
</code></pre></div> </div>
<p>The path here <code class="language-plaintext highlighter-rouge">/etc/systemd/tpm2-pcr-private-key.pem</code> has specific meaning documented in the <a href="https://man.archlinux.org/man/crypttab.5.en">man page</a></p>
<blockquote>
<p>If this option is not specified but it is attempted to unlock a LUKS2 volume with a signed TPM2 PCR enrollment a suitable signature file tpm2-pcr-signature.json is searched for in /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (in this order).</p>
</blockquote>
</li>
<li>Install <code class="language-plaintext highlighter-rouge">systemd-ukify</code>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pacman <span class="nt">-S</span> systemd-ukify
</code></pre></div> </div>
</li>
<li>Draft a config file per the <a href="https://man.archlinux.org/man/ukify.1.en">man page</a>
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[<span class="n">UKI</span>]
<span class="n">Linux</span>=/<span class="n">boot</span>/<span class="n">vmlinuz</span>-<span class="n">linux</span>
<span class="n">Initrd</span>=/<span class="n">boot</span>/<span class="n">intel</span>-<span class="n">ucode</span>.<span class="n">img</span> /<span class="n">boot</span>/<span class="n">initramfs</span>-<span class="n">linux</span>.<span class="n">img</span>
<span class="n">Cmdline</span>=@/<span class="n">etc</span>/<span class="n">kernel</span>/<span class="n">cmdline</span>
<span class="n">OSRelease</span>=@/<span class="n">etc</span>/<span class="n">os</span>-<span class="n">release</span>
<span class="n">PCRBanks</span>=<span class="n">sha256</span>
<span class="n">SecureBootSigningTool</span>=<span class="n">sbsign</span>
<span class="n">SecureBootPrivateKey</span>=/<span class="n">usr</span>/<span class="n">share</span>/<span class="n">secureboot</span>/<span class="n">keys</span>/<span class="n">db</span>/<span class="n">db</span>.<span class="n">key</span>
<span class="n">SecureBootCertificate</span>=/<span class="n">usr</span>/<span class="n">share</span>/<span class="n">secureboot</span>/<span class="n">keys</span>/<span class="n">db</span>/<span class="n">db</span>.<span class="n">pem</span>
[<span class="n">PCRSignature</span>:<span class="n">default</span>]
<span class="n">PCRPrivateKey</span>=/<span class="n">etc</span>/<span class="n">systemd</span>/<span class="n">tpm2</span>-<span class="n">pcr</span>-<span class="n">private</span>-<span class="n">key</span>.<span class="n">pem</span>
<span class="n">PCRPublicKey</span>=/<span class="n">etc</span>/<span class="n">systemd</span>/<span class="n">tpm2</span>-<span class="n">pcr</span>-<span class="n">public</span>-<span class="n">key</span>.<span class="n">pem</span>
</code></pre></div> </div>
<p>Please note that, I used <code class="language-plaintext highlighter-rouge">sbctl</code>’s db key for secureboot signature. I used the previously generated keypair for PCR measurement signature.</p>
</li>
<li>Run <code class="language-plaintext highlighter-rouge">ukify</code> to generate the UKI
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ukify <span class="nt">-c</span> /etc/ukify.conf build <span class="nt">--output</span> /boot/EFI/Linux/ukify-linux.efi
</code></pre></div> </div>
<p>Per man page of <code class="language-plaintext highlighter-rouge">ukify</code>, it will call the <code class="language-plaintext highlighter-rouge">systemd-measure</code>, precalculate the PCR values, and sign the measurement with the keypair. The signature is stored in <code class="language-plaintext highlighter-rouge">.pcrsig</code>. According to the man page of the <code class="language-plaintext highlighter-rouge">systemd-stub</code>:</p>
<blockquote>
<p>A “.pcrsig” section with a set of cryptographic signatures for the expected TPM2 PCR
values after the kernel has been booted, in JSON format. This is useful for
implementing TPM2 policies that bind disk encryption and similar to kernels that are
signed by a specific key.<br />
The output file <code class="language-plaintext highlighter-rouge">/boot/EFI/Linux/ukify-linux.efi</code> is also deliberately chosen so that <code class="language-plaintext highlighter-rouge">systemd-boot</code> can automatically pick it up.</p>
</blockquote>
</li>
<li>Create a new LUKS2 slot with the pubkey of the keypair
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>systemd-cryptenroll <span class="nt">--tpm2-device</span><span class="o">=</span>auto <span class="nt">--tpm2-public-key</span><span class="o">=</span>/etc/systemd/tpm2-pcr-public-key.pem <span class="se">\</span>
/dev/disk/by-uuid/<span class="nv">$DISKUUID</span>
</code></pre></div> </div>
<p>Now that the LUKS2 volume can be unlocked by any PCR measurement signed by the keypair. We already got the PCR measurement signed by the keypair in the UKI. Thus, the initrd can unlock the volume.</p>
</li>
</ol>
<p>Please note, I did not create pacman hooks to recreate the UKI after Linux kernel or ucode updated, please do it yourself.</p>
<h2 id="conclusion">Conclusion</h2>
<p>In conclusion, implementing seamless Linux disk encryption with <code class="language-plaintext highlighter-rouge">systemd-measure</code> and related tools offers a robust solution for protecting your data. While the setup process involves several steps, the resulting configuration provides a secure and user-friendly experience.</p>
<p>By leveraging <code class="language-plaintext highlighter-rouge">systemd-cryptenroll</code> and <code class="language-plaintext highlighter-rouge">ukify</code>, we’ve established a system where the Unified Kernel Image’s measurements, signed by a secure keypair, enable automatic unlocking of the LUKS2-encrypted volume. This approach reduces the need for manual intervention during kernel updates, enhancing the overall convenience of disk encryption on Arch Linux.</p>
<p>Remember to adapt the configurations to your specific environment and consider additional security measures, such as updating the UKI after kernel or microcode updates.</p>
<p>With these steps, you can enjoy the benefits of seamless Linux disk encryption, bringing us closer to the ease of use provided by similar solutions on other operating systems.</p>
<p>Happy encrypting!</p>I’ve been using Archlinux for a while. One painpoint for me is that there is no push-button end-to-end data protection solution like Bitlocker on Windows or FileVault on MAC. I’ve used solutions like LUKS2 with TPM2, but they are not as seamless as Bitlocker. I have to enter the password every time the kernel is updated since the TPM measurement updated.Envelope: Tracking stamped plain mail for free2023-04-09T00:00:00+00:002023-04-09T00:00:00+00:00https://blog.ctyi.me/%E7%94%9F%E6%B4%BB/2023/04/09/Envelope<p><strong>Disclaimer: This tool has no warrenty and I assume no liability for your mail loss, for example, a lost tax return to IRS</strong></p>
<p>This is the tax season again. I hate go to the post office to just get a certified label to make sure my tax return is delivered. I also hate to pay $4.15 for a certified mail. I know there is a way to track a plain mail with a barcode <a href="/%E7%94%9F%E6%B4%BB/2021/06/03/USPS_IV_MTR.html">See my other post here</a>, but it is not easy to use. Thus, I made a tool.</p>
<h1 id="how-to-use-it">How to use it</h1>
<ol>
<li>Visit <a href="https://slu.t.cuitian1.com/envelope">https://slu.t.cuitian1.com/envelope</a></li>
<li>Type in the recipient address and your return address, click generate</li>
<li>Remember your serial number and the recipient zipcode</li>
<li>Print the address and the barcode (<strong>The most important</strong>) on to the envelope</li>
<li>Tracking using the bottom part of the website</li>
<li>Star the Github project if you like it</li>
<li>In case of the website down, you can go to <a href="https://github.com/1997cui/envelope">Github repo</a> to deploy your own.</li>
</ol>
<p><img src="/wp-content/uploads/2023/sample_tracking.png" alt="A sample tracking" />
Above is a sample tracking record that can be obtained from the website.</p>
<h2 id="why-it-works">Why it works</h2>
<p>As a lot of people know, USPS has a handy tool called <a href="https://www.usps.com/manage/informed-delivery.htm">informed delivery</a>. How it works is basically USPS scans the barcode on the mail, which can uniquely identify an address.</p>
<figure class="image" style="text-align: center;">
<img src="/wp-content/uploads/2021/USPSIVMTR/samplemail.png" alt="letter with a barcode" style="text-align: center; display: block; margin: 0 auto;" />
<figcaption><p>letter with a barcode</p>
</figcaption>
</figure>
<p>It turns out that you can generate your own barcode and put it on the mail, and USPS can help you track it! This functionality is called <a href="https://iv.usps.com/">Informed Visibility</a>, which uses the same barcode.</p>
<p>I create this tool with Informed Visibility, basically generate a barcode for you to track.</p>
<h2 id="limitations">Limitations</h2>
<p>USPS doesn’t scan the barcode during every hop of the mail. Thus, the tracking information is not as detail as a certified mail. Specifically, for a first class letter, the carrier didn’t scan individually of them during delivery. As a result, the last hop (i.e. delivery) is not reliable. Sometimes, my tool can capture a logical delivery event, which means the postman entered the zipcode of the recipient, but not always. However, the tracking information can give me enough confidence that the mail is delivered.</p>Disclaimer: This tool has no warrenty and I assume no liability for your mail loss, for example, a lost tax return to IRS告别Certified Mail: 让USPS贴邮票的平信(First-Class Mail)可追踪2021-06-03T00:00:00+00:002021-06-03T00:00:00+00:00https://blog.ctyi.me/%E7%94%9F%E6%B4%BB/2021/06/03/USPS_IV_MTR<p><strong>Disclaimer: 对于按本文寄信给IRS却寄丢了的,本人概不负责</strong></p>
<p>邮局和平信作为一种在中国已经消声觅迹淘汰多年的产物,在美国不但普遍却还历久弥新。在美国的大家一定对USPS非常熟悉,每天一打开信箱里面就充满了各种各样花花绿绿的广告信件,甚至还有麦当劳的优惠券。同时,我们时不时的总是无法逃离USPS的股掌——时不时的我们需要用邮局向外寄一些信,比如给IRS的退税。甚至可能有时还需要寄表格,SSN复印件等内容。</p>
<p>对于这类文件,之前每次小崔我搞起来都十分头大:需要跑一趟邮局买信封邮票。我还不太敢放到信封里,像IRS这种机构很容易石沉大海,根本不知道是不是路上寄丢了。为此,还得在邮局排队买一个叫<a href="https://www.usps.com/ship/insurance-extra-services.htm">Certifed Mail</a>的额外服务(截至2021年6月3日,收费3.6美元)。后来,因为COVID-19在家工作,先添置了打印机,接着我又屯了些邮票和信封,鼓捣了一下如何用打印机打印信封。这下我终于可以在家打印好材料贴好邮票直接塞到邮筒里了,但邮件可能石沉大海无法追踪的问题并没有解决。最近我摸鱼时鼓捣了一下,终于做到了可以让直接丢进邮筒贴1oz邮资的普通信封可以追踪了。终于做到了<em>足不出楼用一张邮票钱搞定可追踪平信</em>。</p>
<h2 id="前提条件">前提条件</h2>
<ul>
<li>打印机一台(可以打印信封)</li>
<li>信封(可以被打印)</li>
<li>邮票</li>
<li>Office全家桶</li>
</ul>
<h2 id="工作原理">工作原理</h2>
<figure class="image" style="text-align: center;">
<img src="/wp-content/uploads/2021/USPSIVMTR/samplemail.png" alt="带IMb的信封示例, 来自网络" style="text-align: center; display: block; margin: 0 auto;" />
<figcaption><p>带IMb的信封示例, 来自网络</p>
</figcaption>
</figure>
<p>上图是一个我从网上找到的信封示例图。不知大家仔细观察过收到的信没有,每封信右下角或者收件人地址区域里面都有一个这样奇形怪状的条码。USPS在处理信件的时候,每一封信都会通过各式各样的机器,每一台机器通过扫描这个条码来判断出这封信的目的地在哪里并进行自动分拣。我们在邮局寄的信第一次过的机器就是把邮票上盖邮戳(postage cancellation)和打印条码了。当然,这个条码也可以用来追踪信件,只要条码在45天内在系统里唯一。</p>
<p>不过需要注意的是,因为USPS贴邮票的平信并不是每一条都会过机器扫描的(运输时成盒(Container)的直接送到目的地),同时最后邮差送信时也是不扫描的,所以一般能拿到的tracking只有刚刚进入系统和接近投递前的最后一次分拣,详细程度远远比不上Certified Mail。</p>
<p>此外,不知道大家有没有用过USPS的<a href="https://informeddelivery.usps.com/box/pages/intro/start.action">Informed Delivery</a>功能,它就是利用条形码确定哪封信是寄给你家的,然后每天发邮件给你。</p>
<p>我们需要做的事情就是自己把条形码(这个条码称之为<a href="https://postalpro.usps.com/mailing/intelligent-mail-barcode">IMb (Intelligent Mail Barcode)</a>)打印到信封上,然后用某种方式追踪到就可以了。</p>
<h2 id="tldr">TL;DR</h2>
<p>偷懒的同学建议注册并交钱使用<a href="https://www.lettertrackpro.com/">Letter Track Pro</a> (并没有人给我广告费,自己也没有用过)</p>
<h2 id="完整版教程">完整版教程</h2>
<h3 id="下载安装条形码对应的字体以及word信封模板">下载安装条形码对应的字体以及Word信封模板</h3>
<p>所有的文件都在<a href="https://postalpro.usps.com/onecodesolution">USPS IMb Fonts and Encoders Download</a>能够下载到。其中我们最需要的是<code class="language-plaintext highlighter-rouge">uspsEncoderMsOffice64-1.3.1.zip</code>和<code class="language-plaintext highlighter-rouge">uspsFontsNonAFP-1.4.0.zip</code>。第一个是office的模板,第二个是字体,在<code class="language-plaintext highlighter-rouge">fonts\scalable\trueType</code>有TrueType字体可以使用。</p>
<p>接着大家到安装目录下找到<code class="language-plaintext highlighter-rouge">Excel\IM Barcode Envelope Size 10.doc</code>打开使用就好啦,具体使用自己看教程即可。</p>
<h3 id="注册并使用tracking服务">注册并使用tracking服务</h3>
<p>这个追踪IMb平信的服务叫做<a href="https://iv.usps.com">Informed Visibility</a>,虽然只面向商业用户开放,但注册起来其实并没什么问题,个人完全可以注册。注册入口不是很好找,分为以下几步:</p>
<ol>
<li>在<a href="https://gateway.usps.com">USPS Business Customer Gateway</a>根据提示注册一个账户,注册好之后不要被眼花撩乱的东西吓到,接着往下看。</li>
<li>按如图点击。
<img src="/wp-content/uploads/2021/USPSIVMTR/reg_getaccess.png" alt="步骤2" /></li>
<li>点击<code class="language-plaintext highlighter-rouge">Get Access</code>,然后等一会等USPS审核。</li>
<li>接下来<a href="https://iv.usps.com">Informed Visibility</a>应该就可以可以进去了</li>
</ol>
<h3 id="打印信件寄信">打印信件,寄信</h3>
<p>使用上面下载的excel和word模板文件即可。zipcode可以5位,9位,11位都可以,但要填对。Zipcode可以用<a href="https://tools.usps.com/zip-code-lookup.htm">USPS Lookup a ZIP Code</a>查到。11位的最后两位是delivery point。</p>
<p>Barcode identifier参考<a href="https://postalpro.usps.com/node/3528">这个</a>文档,Service Type identifier (STID)参考<a href="https://postalpro.usps.com/service-type-identifiers/stidtable">这个</a>文档。截至2021年6月3日,我自己Barcode identifer填写<code class="language-plaintext highlighter-rouge">00</code>, STID填写<code class="language-plaintext highlighter-rouge">040</code>可以让信被追踪到。</p>
<p><a href="https://postalpro.usps.com/node/221">Intelligent Mail® Barcode Technical Resource Guide</a>里详细讲了条码的每一个字段怎么填。我序列号(Serial Number)从<code class="language-plaintext highlighter-rouge">000001</code>开始进行的编号。</p>
<p>Mailer ID (MID)在<a href="https://mid.usps.com">这里</a>可以查询到。</p>
<p>最后使用一下Office Word的邮件合并和信封打印功能,再折腾一下打印机即可把发件人和收件人以及条码打印到信封上了。USPS提供了一个<a href="https://postalpro.usps.com/ppro-tools/encoder-decoder">条码编解码工具(encoder decoder)</a>, 不会使用Word的同学也可以用这个工具按上文所述把字段填好,然后把条码画到信封上。<em>注意,对画在哪里有<a href="https://pe.usps.com/text/dmm300/202.htm#ep1047220">位置要求</a></em>:dog:</p>
<p>最后,把信封贴上邮票,把内容放进去,丢到楼下的<del>垃圾桶</del>邮筒里即可。</p>
<h3 id="查看追踪信息">查看追踪信息</h3>
<p>进入<a href="https://iv.usps.com">Informed Visibility</a>,创建一个query,注意Step 2要选Download而非Online View, Step 3<code class="language-plaintext highlighter-rouge">Object Type</code>选择Piece.</p>
<figure class="image" style="text-align: center;">
<img src="/wp-content/uploads/2021/USPSIVMTR/query.png" alt="IV query 设置filter" style="text-align: center; display: block; margin: 0 auto;" />
<figcaption><p>IV query 设置filter</p>
</figcaption>
</figure>
<p>铛铛铛,我们得到了如下结果。</p>
<figure class="image" style="text-align: center;">
<img src="/wp-content/uploads/2021/USPSIVMTR/result.png" alt="IV query result" style="text-align: center; display: block; margin: 0 auto;" />
<figcaption><p>IV query result</p>
</figcaption>
</figure>
<p>至于每个字段是什么含义,请参考<a href="https://postalpro.usps.com/informedvisibility/OperationCodesList">IV®-MTR Operation Codes List</a>和<a href="https://postalpro.usps.com/informedvisibility/DataDictionary">IV-MTR Data Directory</a>。</p>Disclaimer: 对于按本文寄信给IRS却寄丢了的,本人概不负责在WSL里面使用中文2018-09-23T01:10:13+00:002018-09-23T01:10:13+00:00https://blog.ctyi.me/%E6%8A%80%E6%9C%AF/2018/09/23/X11Forwarding<p>我的WSL发行版是debian,首先需要安装中文字体<code class="language-plaintext highlighter-rouge">fonts-noto-cjk</code>。</p>
<p>然后装中文输入法<code class="language-plaintext highlighter-rouge">fcitx</code>, <code class="language-plaintext highlighter-rouge">fcitx-pinyin</code>, <code class="language-plaintext highlighter-rouge">fcitx-googlepinyin</code>。</p>
<p>然后打开<code class="language-plaintext highlighter-rouge">.bashrc</code>或者<code class="language-plaintext highlighter-rouge">.zshrc</code>,在其中加入</p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">export </span><span class="nv">LC_ALL</span><span class="o">=</span><span class="s2">"zh_CN.UTF-8"</span>
<span class="nb">export </span><span class="nv">DISPLAY</span><span class="o">=</span>:0
<span class="nb">export </span><span class="nv">QT_IM_MODULE</span><span class="o">=</span>fcitx
<span class="nb">export </span><span class="nv">GTK_IM_MODULE</span><span class="o">=</span>fcitx
<span class="nb">export </span><span class="nv">XMODIFIERS</span><span class="o">=</span>@im<span class="o">=</span>fcitx
</code></pre></div></div>
<p>然后启动<code class="language-plaintext highlighter-rouge">fcitx</code>,运行<code class="language-plaintext highlighter-rouge">fcitx-config-gtk3</code>把Google Pinyin添加进输入法列表就好啦~</p>我的WSL发行版是debian,首先需要安装中文字体fonts-noto-cjk。 然后装中文输入法fcitx, fcitx-pinyin, fcitx-googlepinyin。 然后打开.bashrc或者.zshrc,在其中加入 export LC_ALL="zh_CN.UTF-8" export DISPLAY=:0 export QT_IM_MODULE=fcitx export GTK_IM_MODULE=fcitx export XMODIFIERS=@im=fcitx 然后启动fcitx,运行fcitx-config-gtk3把Google Pinyin添加进输入法列表就好啦~免客户端连高铁Wifi2018-08-06T02:27:37+00:002018-08-06T02:27:37+00:00https://blog.ctyi.me/%E7%94%9F%E6%B4%BB/2018/08/06/train-wifi<p>复兴号高铁上有Wifi一段时间了,但目前其要求下载一个App,然后在App里验证手机号才能登陆,我感觉颇为不满。为解决这一问题,打开浏览器访问下面的网址即可:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://portal.12306wifi.cn/cms/app/requestInternet?ip=192.168.xx.xxx&mac=FFFFebf2FFFF&phone=13xxxxxxxxx
</code></pre></div></div>
<p>只要把里面的ip,mac,phone换成自己的就可以啦。</p>复兴号高铁上有Wifi一段时间了,但目前其要求下载一个App,然后在App里验证手机号才能登陆,我感觉颇为不满。为解决这一问题,打开浏览器访问下面的网址即可: http://portal.12306wifi.cn/cms/app/requestInternet?ip=192.168.xx.xxx&mac=FFFFebf2FFFF&phone=13xxxxxxxxx 只要把里面的ip,mac,phone换成自己的就可以啦。用任意设备看IPTV2018-08-06T02:27:37+00:002018-08-06T02:27:37+00:00https://blog.ctyi.me/%E6%8A%80%E6%9C%AF/2018/08/06/IPTV<p>先把从<strong>天津联通</strong>IPTV上抓取的IGMP节目列表转换为HTTP的后放在<a href="/wp-content/uploads/2018/IPTV_router.m3u">这里</a>,原本的频道列表放在<a href="/wp-content/uploads/2018/IPTV_multicast.m3u">这里</a>以备使用。</p>
<p>事情起源于翻腾天津联通给的光猫,了解了下它的工作原理:我们可以认为光猫上有2种类型的逻辑网口:</p>
<p>一类逻辑网口通过光纤连到局端,在光纤上二层协议为以太网,通过VLAN Tag划分流进光猫不同的逻辑网卡里。光猫不同的逻辑上VLAN Tag被去除,可以为之配置不同的3层协议类型(IP或者PPP),可以配置ip地址的获取方式,和路由表,还可以配置数据包从此端口发出是否需要NAT。</p>
<p>另一类逻辑网卡连接到了光猫的物理接口上。比如LAN口,WLAN等。在这些逻辑网卡上,光猫可以进行DHCP分发(所以把网线插到光猫上可以拿到一个内网IP),配置IP地址等。</p>
<p>光猫在这两类网卡间转发数据包有两种方式:第一种是走普通的Linux的包转发的流程。(在路由表上routing到对应的出口网卡上,在iptables上匹配对应的规则)。比如,配置好IPTV的上行网卡和互联网的上行网卡(PPPoE)拨号,再配好路由表,客户端就可以直接上网,IPTV可以直接播放了。另一种简单粗暴的方法是把两块网卡桥接在一次(例如把上行的上网的网卡和下行的LAN桥接,那么就可以从LAN上PPPoE拨号上网了)。</p>
<p>聪明的你可能想到,天津联通为了实现IPTV,就在光猫里为IPTV配置了一个单独的逻辑网卡,并配置了一些路由表,这样,当IPTV机顶盒向光猫发送IPTV的请求时,数据就会被发到正确的VLAN里了,而不是连接互联网的VLAN或者电话的VLAN里。因此,如果想要让连上家用WLAN的设备也能访问IPTV,在我们的家用路由器上除了PPPoE拨号所产生的虚拟接口外,还要有一个从和光猫直接连通的IP网接口。并在路由器上配置到IPTV的数据要走和光猫连接的IP网接口,而不是PPPoE接口。</p>
<p>Tricky的事情是,IPTV的直播数据实际上是通过<a href="https://zh.wikipedia.org/wiki/%E5%9B%A0%E7%89%B9%E7%BD%91%E7%BB%84%E7%AE%A1%E7%90%86%E5%8D%8F%E8%AE%AE">IGMP</a>和多播技术实现的。多播需要让IGMP的加入请求能够发送到光猫的上行逻辑接口,而我们的路由器和光猫的NAT三层转发挡住了这一功能。为了在路由器上实现这一功能,我们需要使用igmproxy添加多播数据包从WAN区域转发到LAN区域的规则。我们同时还可以使用udpxy来在路由器上把多播UDP数据包转换为HTTP数据包以方便网内使用。</p>
<p><strong>坑:不知道为什么,OpenWRT的固件不太能正确处理IGMP的query,导致IGMP report上端收不到。解决方法是在光猫上把IGMP的代理模式由snooping改成proxy,不然就会发生5分钟断流一次的问题。此外,udpxy这个程序的openwrt的配置文件有bug,verbose是<code class="language-plaintext highlighter-rouge">-v</code>不是<code class="language-plaintext highlighter-rouge">-V</code></strong></p>先把从天津联通IPTV上抓取的IGMP节目列表转换为HTTP的后放在这里,原本的频道列表放在这里以备使用。 事情起源于翻腾天津联通给的光猫,了解了下它的工作原理:我们可以认为光猫上有2种类型的逻辑网口: 一类逻辑网口通过光纤连到局端,在光纤上二层协议为以太网,通过VLAN Tag划分流进光猫不同的逻辑网卡里。光猫不同的逻辑上VLAN Tag被去除,可以为之配置不同的3层协议类型(IP或者PPP),可以配置ip地址的获取方式,和路由表,还可以配置数据包从此端口发出是否需要NAT。 另一类逻辑网卡连接到了光猫的物理接口上。比如LAN口,WLAN等。在这些逻辑网卡上,光猫可以进行DHCP分发(所以把网线插到光猫上可以拿到一个内网IP),配置IP地址等。 光猫在这两类网卡间转发数据包有两种方式:第一种是走普通的Linux的包转发的流程。(在路由表上routing到对应的出口网卡上,在iptables上匹配对应的规则)。比如,配置好IPTV的上行网卡和互联网的上行网卡(PPPoE)拨号,再配好路由表,客户端就可以直接上网,IPTV可以直接播放了。另一种简单粗暴的方法是把两块网卡桥接在一次(例如把上行的上网的网卡和下行的LAN桥接,那么就可以从LAN上PPPoE拨号上网了)。 聪明的你可能想到,天津联通为了实现IPTV,就在光猫里为IPTV配置了一个单独的逻辑网卡,并配置了一些路由表,这样,当IPTV机顶盒向光猫发送IPTV的请求时,数据就会被发到正确的VLAN里了,而不是连接互联网的VLAN或者电话的VLAN里。因此,如果想要让连上家用WLAN的设备也能访问IPTV,在我们的家用路由器上除了PPPoE拨号所产生的虚拟接口外,还要有一个从和光猫直接连通的IP网接口。并在路由器上配置到IPTV的数据要走和光猫连接的IP网接口,而不是PPPoE接口。 Tricky的事情是,IPTV的直播数据实际上是通过IGMP和多播技术实现的。多播需要让IGMP的加入请求能够发送到光猫的上行逻辑接口,而我们的路由器和光猫的NAT三层转发挡住了这一功能。为了在路由器上实现这一功能,我们需要使用igmproxy添加多播数据包从WAN区域转发到LAN区域的规则。我们同时还可以使用udpxy来在路由器上把多播UDP数据包转换为HTTP数据包以方便网内使用。 坑:不知道为什么,OpenWRT的固件不太能正确处理IGMP的query,导致IGMP report上端收不到。解决方法是在光猫上把IGMP的代理模式由snooping改成proxy,不然就会发生5分钟断流一次的问题。此外,udpxy这个程序的openwrt的配置文件有bug,verbose是-v不是-VBlog升级到Jekyll啦!2018-08-01T07:32:37+00:002018-08-01T07:32:37+00:00https://blog.ctyi.me/%E6%9C%8D%E5%8A%A1%E5%99%A8/2018/08/01/blog-migration<p>之前本人一直在使用Wordpress,随着Wordpress变得越来越复杂,此外还需要自己有服务器。本人也心水Github的网页托管服务很久了,不久之前,自定义域名也可以<a href="https://blog.github.com/2018-05-01-github-pages-custom-domains-https/">支持HTTPS了</a>,便再也没有理由继续使用Wordpress了。在迁移过程中,HTML转Markdown还有不少的拍版的问题,评论系统换成了<a href="https://help.disqus.com/">Disqus</a>。目前体验良好,后续希望自己加强博客写作吧。</p>之前本人一直在使用Wordpress,随着Wordpress变得越来越复杂,此外还需要自己有服务器。本人也心水Github的网页托管服务很久了,不久之前,自定义域名也可以支持HTTPS了,便再也没有理由继续使用Wordpress了。在迁移过程中,HTML转Markdown还有不少的拍版的问题,评论系统换成了Disqus。目前体验良好,后续希望自己加强博客写作吧。学校之变迁2015-12-29T14:52:51+00:002015-12-29T14:52:51+00:00https://blog.ctyi.me/archives/%E5%AD%A6%E6%A0%A1%E4%B9%8B%E5%8F%98%E8%BF%81<p>近日偶然注意到学校的四牌楼濒临拆除,又见新创基金会撰文纪念,颇有感慨,特作此文。</p>
<p>我依稀记得第一次到达学校边的四牌楼是去向保卫处申请横幅时偶然路过的,却还记得那天第一次路过,心想“这楼颇有一种历史的沧桑感”,再经过四牌楼时,同行的同学说到“你知道中科大四教在哪吗?”我一脸茫然,那同学却说道“就在前面那栋楼里,某个门牌号挂的是4xxx”呢。此后,除去参加iGEM前给家里寄回我的课本外,与那几栋楼便再无交集。只记得那几栋楼除了青青的藤曼爬在墙上外,便是无尽的衰败与没落。</p>
<p>第一次知道四牌楼这个名称是在波士顿参加校友聚会时,仍然记得那时的场景。大家围坐在一起闲聊,突然,一个七几年的校友问我道“四牌楼现在怎么样了?”我却不知“四牌楼”为何物。在他的比划下,方才知道那几栋早已破烂不堪的楼便是“4牌楼”了。从那校友的口中,我才了解到四牌楼是他们的宿舍楼,他们之于四牌楼,如少年班学院的学生之于221楼。从他们的言语中,透露出无尽的温情与留恋。</p>
<p>今日中午,从西区归寝,见前方路已被封锁,颇觉疑惑。回寝后,打开社交软件,才发现上面赫然写着《关于封闭东校区部分道路的公告》,又从好友动态中看到四牌楼拆除时的动静之大,才恍然大悟。四牌楼就这样将离我们而去。然而,我心里却想“四牌楼又与我何干?倒不如拆了盖个新楼”,或许,拆楼的人心态和我类似吧。我却又隐隐为校友们感到了一丝丝的悲哀,毕竟,回到母校,却再不是母校,无一物熟悉,无一物知晓,满眼现代化的高楼大厦,却也是心底一片悲凉。毕竟,在高中已经历过一次类似的经历,不想让之重演于我的大学。</p>
<p>天津一中,自我毕业以后,改校服,改文化,改校花。曾经的紫丁香再也不会出现,甚至,“紫丁香”,已经成为了校内的禁词。回访母校,满眼望去,只有金黄的校舍与金黄的同学们了。却也再也见不到那昨日的一抹优雅的紫色。天津一中高楼依旧,却不见了那花圃中的紫丁香;老师依旧,却不见了当年的淡然与雅致。物不再是,人亦非。</p>
<p>却又想起曾读过的一篇文章,描述美国大学为何捐款极多,唯记得校舍近百年未变了。然而,这是不是也就意味着,发展的速度减缓了呢?近年来,中国的发展速度有目共睹,然而,一栋栋承载着无数人记忆的老楼也成为了历史的匆匆过客。却也希望,在这“中国速度”之中,能够保留下哪怕一丁点的历史的痕迹。</p>
<p> </p>崔 天一近日偶然注意到学校的四牌楼濒临拆除,又见新创基金会撰文纪念,颇有感慨,特作此文。台湾之旅2015-08-10T12:40:16+00:002015-08-10T12:40:16+00:00https://blog.ctyi.me/archives/%E5%8F%B0%E6%B9%BE%E4%B9%8B%E6%97%85<p>特撰本文以纪念2015年7月19日-7月29日的台湾之旅。</p>
<p>这次我去台湾的目的是参加iGEM Asia Conference,也即NCTU(国立交通大学)举办的iGEM meetup。刚刚期末考完试,我、Ziyu Wu、Nancy、Xiaofan Yuan四人便开赴合肥新桥国际机场。我们的飞机是7月19日从合肥机场起飞的。合肥机场小到海关专门为我们这架航班办公。航班不值机时,国际出发都没有开门。<figure id="attachment_202" style="width: 300px" class="wp-caption alignnone"></figure></p>
<p><a href="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150719_080203.jpg"><img class="size-medium wp-image-202" src="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150719_080203-300x225.jpg" alt="空无一人的机场" width="300" height="225" srcset="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150719_080203-300x225.jpg 300w, https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150719_080203-1024x768.jpg 1024w" sizes="(max-width: 300px) 85vw, 300px" /></a><figcaption class="wp-caption-text">空无一人的机场</figcaption></figure></p>
<p>刚上飞机,便感受到了台湾人民的热情好客。坐在我们旁边的便是一个从台湾来大陆游玩+探亲的台湾人。一上飞机,了解到我们几个此行是到台湾开会。便向我们介绍起了台湾当地的风景名胜和美食,直到下飞机前,我们还在谈天。</p>
<p>一下飞机,我们在机场吃了个牛油果。<a href="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150719_125710.jpg"><img class="alignnone size-medium wp-image-204" src="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150719_125710-225x300.jpg" alt="牛油果" width="225" height="300" srcset="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150719_125710-225x300.jpg 225w, https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150719_125710-768x1024.jpg 768w" sizes="(max-width: 225px) 85vw, 225px" /></a></p>
<p> </p>
<p>鉴于接下来几天的会议以及我们的失误繁多,便不在此处描述了。主要描述我们开会后的玩玩玩及一些基本的在大陆罕见的现象。</p>
<ul>
<li>行人遵守红绿灯</li>
<li>坐扶梯时一律靠右,将左侧空出,留给忙于赶路的人</li>
<li>车辆停下来等行人</li>
<li>很少嗯喇叭</li>
<li>垃圾进行分类</li>
<li>宁肯站着也不坐博爱座</li>
</ul>
<p>接下来的几天,我游玩的景点有日月潭、安平古堡、赤崁楼、台北故宫、台北101、台北植物园、总统府、西门红楼、宫原眼科、鼎泰丰、阿宗面线、西门汀、龙山寺、中正纪念堂、台湾大学等。</p>
<p>值得注意的是,Ziyu Wu在台中勾搭到一个叫吴斌的妹子,广西民族大学,大四。嘘。。。<figure id="attachment_211" style="width: 300px" class="wp-caption alignnone"></figure></p>
<p><a href="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150727_125711.jpg"><img class="size-medium wp-image-211" src="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150727_125711-300x225.jpg" alt="日月潭" width="300" height="225" srcset="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150727_125711-300x225.jpg 300w, https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150727_125711-1024x768.jpg 1024w" sizes="(max-width: 300px) 85vw, 300px" /></a><figcaption class="wp-caption-text">日月潭</figcaption></figure> <figure id="attachment_210" style="width: 300px" class="wp-caption alignnone"><a href="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_181618.jpg"><img class="size-medium wp-image-210" src="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_181618-300x225.jpg" alt="总统府" width="300" height="225" srcset="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_181618-300x225.jpg 300w, https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_181618-1024x768.jpg 1024w" sizes="(max-width: 300px) 85vw, 300px" /></a><figcaption class="wp-caption-text">总统府</figcaption></figure> <figure id="attachment_209" style="width: 300px" class="wp-caption alignnone"><a href="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_161523.jpg"><img class="size-medium wp-image-209" src="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_161523-300x225.jpg" alt="台湾大学" width="300" height="225" srcset="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_161523-300x225.jpg 300w, https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_161523-1024x768.jpg 1024w" sizes="(max-width: 300px) 85vw, 300px" /></a><figcaption class="wp-caption-text">台湾大学</figcaption></figure> <figure id="attachment_208" style="width: 300px" class="wp-caption alignnone"><a href="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_095036.jpg"><img class="size-medium wp-image-208" src="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_095036-300x225.jpg" alt="中正纪念堂" width="300" height="225" srcset="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_095036-300x225.jpg 300w, https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150724_095036-1024x768.jpg 1024w" sizes="(max-width: 300px) 85vw, 300px" /></a><figcaption class="wp-caption-text">中正纪念堂</figcaption></figure> <figure id="attachment_206" style="width: 225px" class="wp-caption alignnone"><a href="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150728_181512.jpg"><img class="size-medium wp-image-206" src="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150728_181512-225x300.jpg" alt="鼎泰丰" width="225" height="300" srcset="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150728_181512-225x300.jpg 225w, https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150728_181512-768x1024.jpg 768w" sizes="(max-width: 225px) 85vw, 225px" /></a><figcaption class="wp-caption-text">鼎泰丰</figcaption></figure> <figure id="attachment_207" style="width: 225px" class="wp-caption alignnone"><a href="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150723_165214.jpg"><img class="size-medium wp-image-207" src="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150723_165214-225x300.jpg" alt="台北101" width="225" height="300" srcset="https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150723_165214-225x300.jpg 225w, https://blog.ctyi.me/wp-content/uploads/2015/08/IMG_20150723_165214-768x1024.jpg 768w" sizes="(max-width: 225px) 85vw, 225px" /></a><figcaption class="wp-caption-text">台北101</figcaption></figure></p>崔 天一特撰本文以纪念2015年7月19日-7月29日的台湾之旅。在docker中部署Jenkins和Jenkins-slave并进行持续集成2015-07-01T20:58:10+00:002015-07-01T20:58:10+00:00https://blog.ctyi.me/archives/%E5%9C%A8docker%E4%B8%AD%E9%83%A8%E7%BD%B2jenkins%E5%92%8Cjenkins-slave%E5%B9%B6%E8%BF%9B%E8%A1%8C%E6%8C%81%E7%BB%AD%E9%9B%86%E6%88%90<h2 id="一些对docker的介绍">一些对docker的介绍</h2>
<p>首先是一点复制自docker官方网站的docker介绍:</p>
<blockquote>
<p>Docker is an open platform for building, shipping and running distributed applications. It gives programmers, development teams and operations engineers the common toolbox they need to take advantage of the distributed and networked nature of modern applications.</p>
</blockquote>
<p>说的简单些,docker就是一个利用linux内核中的cgroups进行了资源隔离之后的容器,基于LXC。其实就是一种简化版的虚拟机。可以这么理解,一个进程运行在docker中实际上就是它被docker隔离开了,它看不到docker之外的进程。同时,它所能访问的资源也受到了相应的cgroups的限制。</p>
<p>docker有以下优势:</p>
<ol>
<li>创造一个不受干扰的环境</li>
<li>在docker hub上已经有大量的配置好的镜像,下载就可室友</li>
<li>docker与虚拟机相比更加轻量级</li>
</ol>
<p>先明确几个概念:</p>
<p>1.images,镜像,即一个系统的磁盘文件,docker使用的镜像是差量的,这就是说,docker会自动在一个镜像上覆盖一个新的layer,每次虚拟机中的文件修改发生在新的layer上。同时,也可以在已有的image上叠加layer构成新的镜像。</p>
<p>2.container,容器,即实实在在运行的虚拟机,container从一个image中启动一个进程,该进程退出后container自动关闭。但对应的新创建的layer不会自动清除,也就是说,仍然可以用<span class="lang:default decode:true crayon-inline ">docker start $ID</span> 的方法重新启动container。</p>
<p>其余内容请参阅<a href="https://docs.docker.com/" target="_blank">https://docs.docker.com/</a></p>
<h2 id="jenkins">Jenkins</h2>
<p>Jenkins是一个持续集成工具,也就是说能执行自动构建、部署、单元测试等功能。</p>
<h2 id="安装方法">安装方法</h2>
<p><a href="https://registry.hub.docker.com/_/jenkins/" target="_blank">Jenkins官方docker</a></p>
<p>上面那个链接给出了详细的部署方法,只要<span class="lang:default decode:true crayon-inline ">docker pull jenkins</span> 再执行</p>
<pre class="lang:sh decode:true ">docker run --name myjenkins -d -p 8000:8080 -v /var/jenkins_home jenkins</pre>
<p>一个含有jenkins的container就运行起来了,省去了安装jdk的麻烦。接下来,访问127.0.0.1:8000,在其中的系统管理中搜索安装Docker Plugin插件。值得注意的是,因为在国内无法访问Google,所以check internet 需要很长时间,而且会超时。建议执行</p>
<pre class="lang:sh decode:true ">docker exec -i -t $ID bash</pre>
<p>然后修改/etc/hosts,将www.google.com指向www.baidu.com对应的ip…….</p>
<p>接下来,就是配置Jenkins Slave了。</p>
<p>这里有个问题,Jenkins是通过访问宿主机上的docker API来启动对应的slave的,而Jenkins本身就在container中,因此无法访问宿主机上的docker API,这时,需要在宿主机中的docker配置文件中加入</p>
<pre class="lang:default decode:true ">DOCKER_OPTS="-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"</pre>
<p>以让docker监听所有接口。(注意配置防火墙)</p>
<p>然后在宿主机上建立Dockerfile。关键有以下几部分:</p>
<ul>
<li>安装ssh-server</li>
<li>允许ssh-server登陆</li>
<li>安装openJDK并设置环境变量</li>
<li>设置好locale之类的设置</li>
<li>因为我的项目使用python,还需配置virtualenv,python等内容。以下为完整的Dockerfile</li>
</ul>
<pre class="lang:default decode:true ">FROM debian:jessie
MAINTAINER Tianyi Cui
COPY sources.list /etc/apt/sources.list
RUN apt-get update && apt-get install -y supervisor openssh-server \
python python-pip python-virtualenv \
openjdk-7-jdk \
git \
locales
RUN export LANGUAGE=C.UTF-8 && \
export LANG=C.UTF-8 && \
export LC_ALL=C.UTF-8 && \
locale-gen C.UTF-8 && \
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN mkdir /var/run/sshd
RUN echo 'root:yourpassword' | chpasswd
RUN sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
ENV NOTVISIBLE "in users profile"
RUN echo "export VISIBLE=now" >> /etc/profile
RUN mkdir -p /var/log/supervisor
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
ENV LANG C.UTF-8
ENV LANGUAGE C.UTF-8
ENV LC_ALL C.UTF-8
ENV JAVA_TOOL_OPTIONS -Dfile.encoding=UTF8
CMD ["/usr/bin/supervisord"]
EXPOSE 22
</pre>
<pre class="lang:default decode:true" title="对应的supervisord.conf">[supervisord]
nodaemon=true
</pre>
<p>然后对其进行docker build . slave就可以了。接下来,在Jenkins的系统设置->云里,并设置好宿主的ip地址等信息,并添加一个docker template,label的作用和nodes里label的作用相同,id填docker build时起的image的name。大功告成!</p>崔 天一一些对docker的介绍